Added new yara rules 2024-06-21

shu-tom · shu-tom · commit 7e396a91b1d2 · 2024-06-21T08:31:26.000Z
diff --git a/APT29/apt29.yara b/APT29/apt29.yara
@@ -57,4 +57,31 @@ rule APT29_csloader_code {
         uint32(uint32(0x3c)) == 0x00004550 and
         ((#size >= 4 and $process and 1 of ($command*) and 1 of ($resource*)) or
         $pdb)
+}
+
+rule malware_cobaltstrike_workersdevloader {
+     meta:
+        description = "CobaltStrike loader using workers.dev"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "a7e5080067751ef41254ec4c9f3b6e3ac7cdeca703bdddfc9afb194afee3c124"
+        hash = "fc7eba3306463b091066b51dc7a890233710b2755b9526f5c1a8365c478caa16"
+
+     strings:
+        $xorcode = { 41 8A 0C 10 80 F1 ?? 88 0A 48 FF C2 49 83 E9 01 }
+        $jnk = { 48 3B 15 ?? ?? ?? 00 48 8D 05 ?? ?? FF FF 48 89 45 10 74 16 48 89 02 }
+        $str = "root\\cimv2" ascii
+        $folder = "{80C23C0F-1FE2-45D3-ACA0-4936A6875179}" ascii wide
+        $pdb = "G:\\viewer\\bin\\viewerlib.pdb" ascii wide
+        $opt1 = "--is_ready=" ascii wide
+        $opt2 = "--doc_path=" ascii wide
+        $opt3 = "--parent_path=" ascii wide
+        $opt4 = "--parent_id=" ascii wide
+        $opt5 = "--auto=" ascii wide
+
+     condition:
+       uint16(0) == 0x5A4D and
+       uint32(uint32(0x3c)) == 0x00004550 and
+       (
+        $pdb or $folder or 3 of ($opt*) or ($str and $xorcode and #jnk > 10)
+       )
 }
diff --git a/Kimsuky/Kimsuky.yara b/Kimsuky/Kimsuky.yara
@@ -0,0 +1,50 @@
+rule Kimsuky_downloader_vbs
+{
+    meta:
+        description = "VBS file to download Powershell used by Kimsuky" 
+        author = "JPCERT/CC Incident Response Group" 
+        hash = "36997232fc97040b099fedc4f0c5bf7aed5d468533a27924dc981b94ca208d71" 
+
+    strings:
+        $s1 = "PokDoc -Slyer 'xxx'" ascii
+        $s2 = "InfoKey -ur 'xxx'" ascii
+        $s3 = "iex (wget xxx" ascii
+        $s4 = "pow_cmd = Replace(pow_cmd, \"xxx\", uri)" ascii
+
+    condition:
+        3 of them
+}
+
+rule Kimsuky_PokDoc_ps1
+{
+    meta:
+        description = "Powershell file to collect device information used by Kimsuky" 
+        author = "JPCERT/CC Incident Response Group" 
+        hash = "82dbc9cb6bf046846046497334c9cc28082f151e4cb9290ef192a85bdb7cc6c8" 
+
+    strings:
+        $s1 = "Function PokDoc {" ascii
+        $s2 = "Param ([string] $Slyer)" ascii
+        $s3 = "boundary`r`nContent-Disposition: form-data; name=\";" ascii
+        $s4 = "$conDisp`\"file`\"; filename=`\"" ascii
+
+    condition:
+        3 of them
+}
+
+rule Kimsuky_InfoKey_ps1
+{
+    meta:
+        description = "Powershell file with keylogger functionality used by Kimsuky" 
+        author = "JPCERT/CC Incident Response Group" 
+        hash = "cc2355edb2e2888bae37925ec3ddce2c4c7a91973e89ee385074c337107175ca" 
+
+    strings:
+        $s1 = "Global\\AlreadyRunning19122345" ascii
+        $s2 = "if(($upTick -eq 0) -or (($curTick - $upTick) -gt $tickGap)){" ascii
+        $s3 = "`n----- [Clipboard] -----`n\" + [Windows.Clipboard]::GetText()"
+        $s4 = "`n----- [\" + $t + \"] [\" + $curWnd.ToString() + \"] -----`n"
+
+    condition:
+        3 of them
+}
diff --git a/other/doplugs.yara b/other/doplugs.yara
@@ -0,0 +1,55 @@
+rule malware_DOPLUGS {
+    meta:
+        description = "DOPLUGS"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "2a6015505c83113ff89d8a4be66301a3e6245a41"
+    
+    strings:
+        $data1 = "CLSID" ascii wide
+        /* Decode API Name
+        8b 14 24:       MOV EDX,dword ptr [ESP]
+        8a 5c 14 10:    MOV BL,byte ptr [ESP + EDX*0x1 + 0x10]
+        8b 0c 24:       MOV ECX,dword ptr [ESP]
+        88 df:          MOV BH,BL
+        f6 d7:          NOT BH
+        20 cf:          AND BH,CL
+        f6 d1:          NOT CL
+        20 d9:          AND CL,BL
+        08 f9:          OR  CL,BH
+        88 4c 14 10:    MOV byte ptr [ESP + EDX*0x1 + 0x10],CL
+        */
+        $enc1 = {8B 14 24 8A 5C 14 10 8B 0C 24 88 DF F6 D7 20 CF F6 D1 20 D9 08 F9 88 4C 14 10 8B 0C 24 41 EB}
+        
+        /* Decode API Name
+        8b 14 24:       MOV EDX, dword ptr [ESP]
+        89 d0:          MOV EAX, EDX
+        80 e2 7c:       AND DL , ??
+        f6 d0:          NOT AL
+        24 83:          AND AL , ??
+        08 c2:          OR  DL , ??
+        */
+        $enc2 = {8B 14 24 89 D0 80 E2 ?? F6 D0 24 ?? 08 ??}
+    
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}
+
+rule malware_DOPLUGSLoader {
+    meta:
+        description = "DOPLUGS Loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "c7e9c45b18c8ab355f1c07879cce5a3e58620dd7"
+
+    strings:
+        $data1 = "NimMain" ascii wide
+        /* RC4 Decrypt
+        8b b4 b5 e8 fb ff ff:   MOV   ESI, dword ptr [EBP+ESI*0x4 + 0xfffffbe8]
+        0f b6 44 3b 08:         MOVZX EAX, byte ptr[EBX + EDI*0x1 + 0x8]
+        31 f0:                  XOR   EAX, ESI
+        3d ff 00 00 00:         CMP   EAX, 0xff        
+        */
+        $enc = {8b b4 b5 e8 fb ff ff 0f b6 44 3b 08 31 f0 3d ff 00 00 00}
+
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}
diff --git a/other/webrcs.yara b/other/webrcs.yara
@@ -0,0 +1,47 @@
+import "pe"
+
+rule malware_webrcs_lnk {
+    meta:
+        description = "lnk used to execute webrcs"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "405b2933f2638767980171f3cb09e3f3ee598965d74dd5a041cac97e4e1b893d"
+
+    strings:
+        $s1 = "'+$pid+'.dll';ni " ascii wide
+        $s2 = "-I D;saps $f;cp desktop.ini " ascii wide
+        $s3 = ";if(Test-Path $n){saps $" ascii wide
+
+    condition:
+        (uint32(0) == 0x0000004C) and
+        2 of them
+}
+
+rule malware_webrcs {
+    meta:
+        description = "webrcs malware"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "74aa2eedaa6594efa2075ea2f4617ed3206d228b8fae5fc54382630764bdb5ad"
+
+    strings:
+        $s1 = "C:\\boringssl_x86\\ssl\\encrypted_client_hello.cc" ascii 
+        $s2 = "_rloader@4" ascii
+        $s3 = "shell" wide
+        $s4 = {
+			83 3A 10
+			0F 85 ?? ?? ?? ??
+			83 39 0F
+			75 ??
+			83 38 0F
+			75 ??
+			83 78 ?? 41
+		}
+        $s5 = "cqWKroElukZpUd7X2FRJhAC3IS05j6efzDmaVwv4igGtTY89sOx1QHPNBMLybn+-" ascii
+
+    condition:
+        uint16(0) == 0x5A4D and
+        uint32(uint32(0x3c)) == 0x00004550 and
+        (pe.overlay.size > 512000 and
+        uint8(pe.overlay.offset) == 0xBF and
+        uint32(pe.overlay.offset + 4) == 0x09E8006A) or
+        3 of them
+}
